The CJEU has today delivered its judgment in McFadden, concerning the liability for user copyright infringement of a shop providing free Wi-Fi. The CJEU confirmed that the provider benefited from conduit protection from damages under the Electronic Commerce Directive. On the other side the decision opens the door to copyright owners seeking injunctions to require Wi-Fi providers to password protect accounts and obtain user identity information.
The CJEU considered what obligations an injunction to prevent copyright infringement may legitimately impose on a free Wi-Fi provider; in particular whether some specific kinds of obligation are prohibited under the EU Charter of Fundamental Rights.
The German referring court was considering an injunction requiring the provider to prevent third parties making a particular copyright work available to the public from a P2P platform. Although the provider could decide what technical measures to take to comply, in practice the only measures that it could take were to terminate or password-protect the internet connection or to examine all communications passing through it.
The CJEU's Advocate General, in his Opinion of 16 March 2016, had recommended that all three types of obligation be held impermissible.
The CJEU held, for each type of measure:
- Monitoring all the information transmitted was impermissible as contrary to the prohibition on general monitoring obligations in Article 15 of the Electronic Commerce Directive.
- Terminating the internet connection completely would cause a serious infringement of the freedom to conduct business. It would categorically prevent an internet access provider from pursuing that activity in order to remedy a limited infringement of copyright without considering the adoption of measures less restrictive of that freedom. In those circumstances such a measure would not strike a fair balance between the fundamental rights concerned.
- Securing the connection by password protection is not an impermissible measure. Such a measure does not damage the essence of a service provider's freedom to conduct business in so far as it is limited to "marginally adjusting one of the technical options open to the provider in exercising its activity".
Nor does it undermine the essence of the right to freedom of information of users of the service, being limited to requiring users to request a password and it being clear that the connection is only one of several means of accessing the internet.
Such a measure has to be effective, at least making unauthorised access to the content difficult to achieve and seriously discouraging users from accessing it. A password-protection measure may be dissuasive, "provided that those users are required to reveal their identity in order to obtain the required password and may not therefore act anonymously, a matter which it is for the referring court to ascertain".
The CJEU went on that since it had rejected the first two measures, to reject securing the internet connection would deprive the fundamental right of intellectual property of any protection. A measure such as password protection must therefore be considered necessary to ensure the effective protection of the fundamental right.
It therefore followed that a measure consisting of securing a connection is capable of striking a fair balance between the fundamental rights concerned (intellectual property, freedom to conduct a business and the right of users to receive information).
The CJEU also addressed some perhaps less controversial questions.
- It held that the Wi-Fi service in question, although it was provided free of charge, was of a kind normally provided for remuneration and so qualified as an information society service within scope of the Electronic Commerce Directive. It was part of the shop's economic activity, provided for the purpose of advertising the goods sold and the services provided by the shop.
- In order to fall within the conduit protection of Article 12 of the Directive there were no further conditions beyond providing access to a communication network in the sense of a technical, automatic and passive transmission process. Any natural or legal person providing an information society service could fall within Article 12. There did not have to be a contractual relationship between the provider of the service and the recipient, nor did the service provider have to advertise the service.
- The condition for hosting protection that, on gaining relevant knowledge or awareness of illegal activity or information, the provider must act expeditiously to remove or disable access to the information, does not apply to conduit protection under Article 12 of the Directive.
- Since the conduit exception precludes a copyright holder from claiming compensation from a conduit for use of its network by third parties to infringe its rights, it is also precluded from claiming costs of a formal notice or court costs in relation to a claim for compensation. That exclusion does not apply to such costs in relation to a claim for an injunction.
The McFadden decision confirms that free Wi-Fi providers benefit from the liability protections of the Electronic Commerce Directive, at least when the service has an economic context. The judgment also reinforces the significance of the prohibition on general monitoring obligations in Article 15 of the Directive.
The most controversial aspect of Mcfadden is the possibility of imposing password protection by injunction. This is also the most difficult to understand in terms of its consequences.
Previous CJEU caselaw (UPC Telekabel Wien) has held that an injunction against a third party ISP under Article 8(3) of the Copyright Directive can be granted only if it satisfies a number of conditions, one of which is that it be effective.
In McFadden the CJEU appears to have decided that password protection would be effective only if the user is required to provide identity details to the service provider so that the user cannot act anonymously. If that does not occur, then seemingly the measure would not qualify as effective and so an injunction ought not to be granted. However that would (according to the Court) deprive the fundamental intellectual property right of any protection. An alternative would be for the measure to include mandatory provision of users' identity details. That, however, would clearly interfere with the user's right to privacy – a fundamental right that the McFadden judgment does not mention, or take into account in balancing the relevant fundamental rights.
The implications of McFadden seem likely to stimulate intense future debate and may require further judicial elucidation.